ASGARD v1.7.2 with File and Memory Collection

Jan 15, 2019 | ASGARD Management Center, Newsletter

Our brand new ASGARD 1.7 comes with a shiny new feature: Evidence Collection

The evidence collection feature allows you to collect files or main memory from connected end systems.

The memory and file collection tasks provide a throttling option to reduce the upload speed of the dump files in order to save bandwidth and avoid higher response times of servers or workstations. 

The file collection feature allows you to get a single file, the contents of a folder with or without its sub directories. You can set size limits for each file and the whole archive.

The “Evidence Collection” tab lists all active and completed tasks. 

A log shows you the details of all the collection tasks.

ASGARD version 1.7.2 has been released today and can be upgraded via the “Updates” section. 

Please note that the memory collection on Linux endpoints is integrated but not fully supported. 

 

50 Shades of YARA

Jan 2, 2019 | YARA

A long time ago I’ve noticed that there is no single best YARA rule for a given sample, but different best solutions depending on the user’s requirements and use case. I noticed that I often create 2 to 3 YARA rules for a single sample that I process, while each of them serves a different purpose.

In this blog post, I’d like to describe the three most common rule types.

In the following example I’ll use the malware sample with hash 7415ac9d4dac5cb5051bc0e0abff69fbca4967c7 (VirusBay, Hybrid-Analysis)

While looking at the strings extracted by yarGen, you’ll notice that it contains a lot of interesting strings. In my past tutorials (1, 2, 3) I’ve always distinguished between “Highly Specific” and “Suspicious” strings (see Part 3 of the blog post series). Today I’d like to show you a more purpose oriented approach. 

The following screenshots shows what types of strings I see while looking at these strings:

The strings that are marked with yellow look very specific. I’d use them as “Highly Specific” strings ($x*) of which only a single one is required to trigger the rule: 1 of ($x*)

The strings marked green will be used in combination with other green strings. A reasonable set of these strings is required to trigger the rule: $u1 and 1 of ($f*)

The strings marked with red color could serve in a rule that tracks the C2 addresses used by this sample and the strings marked blue could be used for a generic detection of malicious samples that can be completely unrelated.

The different rule categories are:

  • Regular Rules: Detect a certain malware or malware family 
  • Threat Intel Tracking Rules: Detect specific indicators that relate to a certain actor
  • Method Detection Rules: Detect methods or anomalies 

The following table describes these three different types of rules and gives some string examples. 

Regular Rules

In the case of the “Regular Rules” I distinguish between two different flavors: 

  • Threat Detection Rules
  • Threat Hunting Rules

The difference between these flavors is based on a different level of strictness in the conditions and not on the different selection of strings. While a “threat detection” rule may require “6 of them”, a “threat hunting” rule may be satisfied with “3 of them”, accepting some false positives. 

The reason why someone distinguishes between “threat detection” and “threat hunting” rules is that the response to matches can be very different. Antivirus solutions that respond to matches with “delete” or “disinfect” reactions do not accept false positives and avoid false positives by any means.

In “threat hunting” use cases which include direct destructive reactions to signatures matches are rare. Typically analysts investigate such an event, classify and react to it manually. In “threat hunting” scenarios analysts try to avoid “false negatives” by all means. 

(Source: Chris Gerritz @gerritzc

Threat Intel Tracking

In threat intel, we can use YARA rules to track the activity of certain actors in cases in which there are certain characteristics or keywords that persist over longer periods and campaigns. 

A very convenient form of tracking without having access to the telemetry data of OS and AV vendors is offered in the form of YARA match notification services as provided by VirusTotal or ReversingLabs

Method Detection Rules

During the past year I focussed on the last rule type “Method Detection” whenever I had the opportunity as it allows me to provide very generic rules that produce amazing results with a minimum of false positives.

However, those rule matches lack a reference like a malware name or an adversary group that used the detected method in their samples. Here is an example with one of the few public YARA rules published in the “signature-base” repository:

Sample: fc18bc1c2891b18bfe644e93c60a2822ad367a697bebc8c527bc9f14dad61db5 

The comment tab shows a match with generic rule “SUSP_LNK_SuspiciousCommands” . No reference is given. The Antivirus detection ratio is low. 

You can find more matches with this rule on Virustotal using the search function – URL: https://www.virustotal.com/#/search/lnk 

Conclusion

These are the reasons why the analysis of a single sample often results in 2-3 different YARA rules.

Using this method the coverage is exceptionally good as the set of rules covers specific samples of the same family and the different malware families the use the same methods.

YARA Rule Sets and Rule Feed

Dec 21, 2018 | Newsletter, YARA

As previously announced our YARA rule packs and feeds will be available in March/April 2019. We’ve put a lot of effort into a internal system named “Mjolnir” that parses, normalizes, filters, tags and automatically modifies our rule base, which contains more than 9000 YARA rules. 

This system will now fill a database of tagged YARA rules – the basis of our new YARA services. 

The services will be divided into two categories:

  • YARA Rule Set
  • YARA Rule Feed

YARA Rule Set

The YARA rule set consist of more than 7000 YARA rules of different categories that are used in our scanners.

Some of our rules use extensions (external variables) that are only usable in our scanner products. These rules, experimental, third party and other classified rules will not be part of the purchasable rule set. 

YARA Rule Feed 

The YARA rule feed is a subscription on our rules. The feed always contains the rules of the last 90 days, which is between 250-400 YARA rules. 

Rule Samples

The quality of the rules in the rule set are comparable to the rules in our public “signature-base” repository. 

Some good examples for the different rule categories are:

Quality and Focus

The rules are tested against a data set of more than 350 TB of goodware. The goodware file repository consists of Windows OS files, several full Linux distributions and a big collection of commercial and free software. 

However, false positives are always possible. We do not recommend any destructive action on a signature match, like delete or blocking.

The main focus of our rules are:

  • Threat Hunting
  • Classification
  • Anomaly Detection
  • Compromise Assessment 

Subscribe to our Early Access Mailing List

Subscribe here

THOR 8.53 Feature: Diff Mode

Dec 6, 2018 | Newsletter, THOR

With the upcoming version 8.53 of THOR, we’re testing a new feature called “Difference” or “Diff” mode (–diff).

The idea behind “Diff” mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan on that system. We can apply this principle to various modules and increase scan speed massively.

Diff mode is currently supported in the long running modules

  • Filesystem – files with MAC timestamps older than the last scan (start) will be skipped
  • Registry – registry keys with last modification dates older than the last scan (start) will be skipped
  • Eventlog – runs until it reaches eventlog entries with timestamps older than the last scan (start)

Diff mode requires the use of THOR DB, which is the default but could have been disabled with “–nothordb”. This is necessary to determine information from the last scan, e.g. “when did it start” but also “which modules were used in the last scan”.

The main advantage is an incredible fast scan. Our tests showed that scans in “Diff” mode complete within 5 and 15 minutes. In “Diff” mode, the longest running module is “ProcessCheck” with run times between 3 and 6 minutes.

The main disadvantage of “Diff” mode is the inability to detect Timestomping attacks, in which attackers or malware changes the timestamps of files and other elements.

ASGARD Analysis Cockpit 2.2 Feature Overview

Dec 5, 2018 | ASGARD Analysis Cockpit, Newsletter

Later this month the new version 2.2 of ASGARD Analysis Cockpit will be released. These are the most important new features.

The Optimize Button

The new “Optimize” button allows you to add all unassigned log lines to existing cases with matching filters. It is possible that you miss some events when creating a new case, either by the wrong selection or due to the fact that new log lines can arrive at any time via SYSLOG or log file import in the background.

Now it is possible to add all unassigned log lines to previously created cases by using the “Optimize” button.   

It will not remove previously assigned log lines from existing cases. It just helps you to clear up the base lining section by removing events that are related to existing cases but haven’t been assigned to these cases yet.

You can later review all automatic assignments in the “Automatic Event Assignment” protocol.

Notification Settings

The new “notification” settings allow you to create notification rules for the following type of events:

  1. Log lines that are automatically assigned to an existing case
  2. Status changes of cases

The current supported actions are:

  1. Syslog Forwarding
  2. Email Notification

This allows you to define flexible rules for many different events. You may e.g. create a rule that sends an email notification whenever a new “Incident” case is opened. 

You could also forward all incoming log lines that are automatically assigned to a case of type “Incident” to your remote SIEM system. (each syslog message will be extended by two new fields: case_type and case_id)

An email for a opened “Incident” case will then look like this:

The attachments of these emails contain the included log lines (text) and a JSON with all case information in machine readable form.

File Importer

The File Importer status view has been improved so that it shows the number of total files in queue and the number of processed files.

Improved Reporting

The new improved reporting allows you to generate reports not only for a given period of time (e.g. last month) but custom queries on the ElasticSearch database. E.g. you can generate report for the scans on your SuSE linux systems only. 

The reports contain more panels and information on the data set. 

The data from all reports can be downloaded as JSON file. 

Upgrade to 2.2

The upgrade will be visible in the “Updates” section of your Analysis Cockpit once it is released. See the change.log notes for a full list of changes. 

 

ASGARD Management Center Feature: Scanner Package Download Links

Dec 5, 2018 | ASGARD Management Center, Newsletter

ASGARD features a new section since the last upgrade that you may have missed. It’s called “Downloads” and contains a section in which you can configure a download link for scanner packages.

In previous versions, the scanners have been accessible right from the login screen without any authentication, just like the GRR agents, which are still accessible in that way.

We’ve removed these unauthenticated scanner downloads and created that new “Downloads” section, which can be used by authenticated users in different ways.

While selecting different options in the form, the download link changes.

After you have selected the correct scanner, operating system and target hostname (not FQDN), you can copy the download link and use it to retrieve a full scanner package with included license file for that host. These download links can be send to administrators or team members that don’t have access to ASGARD management center. Remember that the recipients of that link still need to be able to reach ASGARD’s web server port 443/tcp. 

If you don’t set a hostname in the “Target Hostname” field, the scanner package will not contain a license file. If you have an unlimited “Enterprise” license, you’ll have to provide it separately.  

Use Case 1 – Provide Download Links

You can generate download links for the different scanner packages without included license for yourself or the administration team. A valid license (e.g. “Enterprise” or “Incident Response”) has to be provided and placed in the program folder. You can also use “thor-util” to retrieve licenses for specific hostnames from an ASGARD server (see the “THOR_Util_Manual.pdf” in each scanners “./docs” folder for details)

Use Case 2 – Administrator Asked to Run a Scan

You can copy the final download link and send it to an administrator, which can use this link on one of the servers to retrieve a full scanner package with license and run a scan. 

Use Case 3 – Use the URL in Script

You can use the URL in Bash or PowerShell scripts to automate scan runs on systems without installed ASGARD agent. Replace the hostname value with the value of the current host on which the script runs to get a URL for scanner download package with a host-specific license. 

STIXv2 Support in SPARK

Nov 12, 2018 | Newsletter, SPARK, SPARK Core

SPARK Version 1.17.0 adds extensive STIXv2 support.

This allows you to easily extend SPARK’s signature bases with IOCs from any sandbox, analysis or threat intel platforms that support STIXv2 export by placing the exported *.json files in the ./custom-signatures folder.

For now, the supported observable object types are:

  • file:name with = != LIKE and MATCHES
  • file:parent_directory_ref.path with = != LIKE and MATCHES
  • file:hashes.sha-256 / file:hashes.sha256 with = and !=
  • file:hashes.sha-1 / file:hashes.sha1 with = and !=
  • file:hashes.md-5 / file:hashes.md5 with = and !=
  • file:size with < <= > >= = !=
  • file:created with < <= > >= = !=
  • file:modified with < <= > >= = !=
  • file:accessed with < <= > >= = !=
  • win-registry-key:key with = != LIKE and MATCHES
  • win-registry-key:values.name with = != LIKE and MATCHES
  • win-registry-key:values.data with = != LIKE and MATCHES
  • win-registry-key:values.modified_time with < <= > >= = !=

These types are applied in different modules:

  • FileScan: file:*
  • Registry: win-registry-key:* and file:name (applied to data field)

You can find a list of products that support the STIX data exchange format here.

Short Tutorial: How to Create a YARA Rule for a Compromised Certificate

Nov 1, 2018 | YARA

Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware.

I’d like to show you an easy way to create a YARA rule for such a certificate. We will look at a sample that has been marked as malware by many Antivirus engines on Virustotal and the “Details” tab shows a revoked certificate. That’s a good indicator for a compromised certificate that has been and sometimes is still used by threat groups to sign their binaries.

Sample: ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4

Let’s look at the details. I recommend creating a YARA that uses the “pe” module of YARA and integrate the Serial Number and the Issuer of the certificate to create an unambiguous rule.

rule MAL_Compromised_Cert_Nov18_1 {
   meta:
      description = "Detects a compromised certificate of CORP 8 LIMITED - identified in November 2018"
      date = "2018-11-01"
      hash = "ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4"
   condition:
      uint16(0) == 0x5a4d and
      for any i in (0 .. pe.number_of_signatures) : (
         pe.signatures[i].issuer contains "COMODO RSA Code Signing CA" and
         pe.signatures[i].serial == "4c:75:75:69:2c:2d:06:51:03:1a:77:ab:49:22:4c:cc"
      )
}

As you can see, you need to copy two strings from Virustotals web page:

Copy the CA name and use it for the “.issue” condition as well as the serial number, which you use for the “.serial” condition. Make sure that you changed the casing to lower-case as YARA does not expect and understand uppercase characters in the serial field.

Virustotal Intelligence users can use the following hunting rule to detect new uploaded malicious samples with revoked certificates:

rule Compromised_Certificate {
  condition:
    // New files, detected by more than 30 engines and revoked certificate
   new_file and positives > 30 and tags contains "revoked-cert"
}

Important Update Process Changes

Oct 15, 2018 | Newsletter, SPARK, THOR

As we have announced in May, the old “thor-upgrade.exe” is already out-of-support and the old update servers accessed by “thor-upgrade.exe” will be decommissioned at the end of October.

The new all-round utility “thor-util.exe” now supports all of the features provided by the old “thor-upgrade.exe” including NTLM Authentication with corporate proxy servers.

You can use “thor-util.exe upgrade –help” to see all options of the “upgrade” feature.

Also note that “thor-util” has an “encrypt” feature that allows you to encrypt custom signature files and the “report” feature that creates HTML reports from plain text log files. 

The only valid update servers that should be accessible to get updates from November onward are:

  • update1.nextron-systems.com
  • update2.nextron-systems.com

The “thor-util” utility is part of the THOR and SPARK packages and can also be downloaded from the Customer Portal in the “Downloads” section.

If you are a customer and don’t have access to the Customer Portal yet, please contact us or the respective partner.